Vulnerable Library - redcarpet-3.2.3.gem
A fast, safe and extensible Markdown to (X)HTML parser
Library home page: https://rubygems.org/gems/redcarpet-3.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/redcarpet-3.2.3.gem
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Vulnerabilities
| CVE |
Severity |
CVSS |
Exploit Maturity |
EPSS |
Dependency |
Type |
Fixed in (redcarpet version) |
Remediation Possible** |
Reachability |
| CVE-2015-5147 |
High |
7.3 |
Not Defined |
1.0% |
redcarpet-3.2.3.gem |
Direct |
3.3.2 |
✅ |
|
| CVE-2020-26298 |
Medium |
5.4 |
Not Defined |
0.1% |
redcarpet-3.2.3.gem |
Direct |
redcarpet - 3.5.1 |
✅ |
|
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2015-5147
Vulnerable Library - redcarpet-3.2.3.gem
A fast, safe and extensible Markdown to (X)HTML parser
Library home page: https://rubygems.org/gems/redcarpet-3.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/redcarpet-3.2.3.gem
Dependency Hierarchy:
- ❌ redcarpet-3.2.3.gem (Vulnerable Library)
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Stack-based buffer overflow in the header_anchor function in the HTML renderer in Redcarpet before 3.3.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.
Publish Date: 2015-07-14
URL: CVE-2015-5147
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.0%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5147
Release Date: 2015-07-14
Fix Resolution: 3.3.2
In order to enable automatic remediation, please create workflow rules
CVE-2020-26298
Vulnerable Library - redcarpet-3.2.3.gem
A fast, safe and extensible Markdown to (X)HTML parser
Library home page: https://rubygems.org/gems/redcarpet-3.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/redcarpet-3.2.3.gem
Dependency Hierarchy:
- ❌ redcarpet-3.2.3.gem (Vulnerable Library)
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the :escape_html option was being used. This is fixed in version 3.5.1 by the referenced commit.
Publish Date: 2021-01-11
URL: CVE-2020-26298
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-q3wr-qw3g-3p4h
Release Date: 2021-01-11
Fix Resolution: redcarpet - 3.5.1
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
A fast, safe and extensible Markdown to (X)HTML parser
Library home page: https://rubygems.org/gems/redcarpet-3.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/redcarpet-3.2.3.gem
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - redcarpet-3.2.3.gem
A fast, safe and extensible Markdown to (X)HTML parser
Library home page: https://rubygems.org/gems/redcarpet-3.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/redcarpet-3.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Stack-based buffer overflow in the header_anchor function in the HTML renderer in Redcarpet before 3.3.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.
Publish Date: 2015-07-14
URL: CVE-2015-5147
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.0%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5147
Release Date: 2015-07-14
Fix Resolution: 3.3.2
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - redcarpet-3.2.3.gem
A fast, safe and extensible Markdown to (X)HTML parser
Library home page: https://rubygems.org/gems/redcarpet-3.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/redcarpet-3.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the
:escape_htmloption was being used. This is fixed in version 3.5.1 by the referenced commit.Publish Date: 2021-01-11
URL: CVE-2020-26298
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-q3wr-qw3g-3p4h
Release Date: 2021-01-11
Fix Resolution: redcarpet - 3.5.1
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules